b'July 28, 2000\nAudit Report No. 00-030\n\n\nAudit of the Development of the\nElectronic Travel Voucher Payment\nSystem\n\x0c                       TABLE OF CONTENTS\n\n\nBACKGROUND                                               2\n\nOBJECTIVES, SCOPE, AND METHODOLOGY                       3\n\nRESULTS OF AUDIT                                         3\n\nIMPROVED CONTROLS ARE NEEDED TO MONITOR DEVELOPMENT\nCOSTS AND SCHEDULES                                     5\n\n     Recommendation                                      6\n\nIMPROVED PROCEDURES ARE NEEDED TO TRACK PROJECT COSTS    6\n\n     Recommendation                                      7\n\nNEW PROJECT MANAGEMENT PROCEDURES ARE NEEDED WHEN\nDEVELOPMENT PROJECTS CROSS DIRM ORGANIZATIONAL LINES    7\n\n     Recommendations                                    8\n\nMULTIPLE LISTS OF EMPLOYEE NAMES HINDERED ETVPS         9\nDEVELOPMENT\n\n     Recommendations                                    10\n\nCORPORATION COMMENTS AND OIG EVALUATION                 10\n\n\nAPPENDIX I - PRIOR OIG CORRESPONDENCE                   12\n\n\nAPPENDIX II \xe2\x80\x93 MEMORANDUM: DIRM COMMENTS                 52\n\nAPPENDIX III \xe2\x80\x93 MEMORANDUM: DOA COMMENTS                 55\n\nAPPENDIX IV \xe2\x80\x93 MEMORANDUM: DOF COMMENTS                  57\n\nAPPENDIX V \xe2\x80\x93 TABLE: MANAGEMENT RESPONSES TO\n             RECOMMENDATIONS                            60\n\x0cFederal Deposit Insurance Corporation                                                        Office of Audits\nWashington, D.C. 20434                                                           Office of Inspector General\n\n\nDATE:            July 28, 2000\n\nTO:              Donald C. Demitros, Director, Division of Information Resources Management\n                 and Chief Information Officer\n\n                 Fred Selby, Director, Division of Finance\n\n                 Arleas Upton Kea, Director, Division of Administration\n\n\n\nFROM:            David H. Loewenstein\n                 Assistant Inspector General\n\nSUBJECT:         Report Entitled Audit of the Development of the Electronic Travel Voucher Payment\n                 System (Audit Report No. 00-030)\n\n\nThe Federal Deposit Insurance Corporation (FDIC) Office of Inspector General (OIG) has\ncompleted an audit of the FDIC\xe2\x80\x99s development of the Electronic Travel Voucher Payment System\n(ETVPS). The objectives of this audit were to determine whether ETVPS adhered to generally\naccepted system development life cycle (SDLC) procedures, user requirements were adequately\ndefined, and system deliverables satisfied user requirements in a cost-effective and timely manner.\n\nThe FDIC\xe2\x80\x99s development of ETVPS generally adhered to accepted system development life cycle\nprocedures, and user requirements were accurately and fully defined. While ETVPS did not fully\nmeet user requirements when first released for use, the Division of Information Resources\nManagement (DIRM) and the Division of Finance (DOF) have taken actions to address needed\ncorrections and ensure that the system will fully meet user requirements. Also, lack of cost controls\nimpacted the cost-effectiveness of the project; however, at time of the ETVPS development, DIRM\nhad not yet completed procedures to ensure more effective cost controls. The OIG has been\ninvolved throughout the development effort. We have issued other products related to ETVPS\ndevelopment during the project as described in the background section of this report.\n\nThis report identifies opportunities for the FDIC to improve project management and cost controls\nfor future system development efforts and contains eight recommendations. Five of the\nrecommendations are addressed to the Director, DIRM and Chief Information Officer (CIO); four\nof these are intended to improve the FDIC\xe2\x80\x99s system development management and the other is\nintended to improve the interim user identification process. One recommendation addressed to the\nDirector, DOF, is designed to improve accounting for project costs. The two recommendations\naddressed to the Director, Division of Administration (DOA), are designed to eliminate\ncumbersome reconciliation procedures currently needed to maintain and validate the accuracy of\nemployee listings needed for user authentication, process routing, and other processes that are\n\x0cdependent on accurate employee information. Other needed control improvements identified are\nbeing addressed by management in response to recommendations contained in another audit report\nentitled FDIC\xe2\x80\x99s Strategic Planning for Information Technology Resources (Audit Report No. 00-\n013).\n\nBACKGROUND\n\nUp until ETVPS became operational in November 1999, the FDIC used the Travel Management\nSystem (TMS) to process travel vouchers. Employees filed paper vouchers that were manually\nentered into TMS. Reimbursement of travel expenses to employees took at least 2 weeks using this\nprocess. These processes included manual preparation of paper vouchers, manual supervisory\nreview of the vouchers, manual revisions when needed, and a process to audit 100 percent of all\nvouchers submitted. While these processes generally achieved desired results, they were time-\nconsuming, labor intensive, and not cost-effective.\n\nThe project to develop ETVPS was initiated to reduce the costs and inefficiencies associated with\nthe manual operations related to travel voucher preparation and processing. DOF and DIRM\ninitiated the ETVPS project on February 6, 1996 with the goal of providing an electronic travel\nprocess for all FDIC employees required to travel on official business. An inter-divisional project\nteam was formed to re-engineer the travel process and develop an electronic travel management\nsystem to support it. In November 1996, the project team, which consisted of representatives from\nall major FDIC divisions, produced an ETVPS Feasibility Study that concluded that an electronic\ntravel process would be more cost-effective than the current manual system. The study projected an\nimplementation date of July 1, 1998 at a cost of $505,290. On January 21, 1997, the project team\ncompleted the initial system requirements. System requirements were finalized during February\n1998.\n\nWe started our audit of ETVPS in March 1996 shortly after the project initiation date of February 6,\n1996. To provide management with our observations, suggestions, and recommendations regarding\nthe project in a timely manner, we performed our work as development activities progressed.\nDuring our audit, we provided oral observations and suggestions to management. Management\ntook action on many of the suggestions we provided. We also issued several memoranda containing\nsuggestions related to the development of ETVPS and two interim audit reports with\nrecommendations for improving development efforts. Management agreed with our suggestions and\nrecommendations and, in some cases, had planned similar actions. The reports and memoranda are\nincluded in appendix I. This report contains additional observations and recommendations based on\nour overall review of the project.\n\nETVPS was one of the first projects to follow the FDIC\xe2\x80\x99s new SDLC Manual, including revisions\nmade during ETVPS development. The SDLC manual divides system development into eight\ndistinct phases: (1) Planning, (2) Requirements Definition, (3) External Design, (4) Internal Design,\n(5) Development, (6) Testing, (7) Implementation, and (8) Maintenance. The purpose of a\nstructured SDLC is to ensure effective management and control for system development projects.\nThe FDIC\xe2\x80\x99s SDLC Manual does not fully address cost controls. We have issued a number of audit\nreports on the need for improved cost controls for the FDIC\xe2\x80\x99s system development efforts. In\nresponse to one of these reports, Audit of the Time and Attendance Processing System Development\n\n\n                                                  2\n\x0cProject (II) (Audit Report No. 99-011), the FDIC\xe2\x80\x99s former Deputy to the Chairman and Chief\nOperating Officer instructed DIRM to develop procedures to ensure more effective cost controls,\nincluding alerting the Information Technology (IT) Council of significant changes in a project\xe2\x80\x99s\ncost, schedule, and risk. In response to another recent audit report entitled Audit of the FDIC\xe2\x80\x99s\nStrategic Planning for Information Technology (Audit Report No. 00-013), DIRM and the FDIC\xe2\x80\x99s\nIT Technical Committee developed such procedures. However, these procedures have not yet been\nincorporated into either formal policy or the SDLC Manual and were not in place during ETVPS\ndevelopment.\n\nThe FDIC\xe2\x80\x99s SDLC Manual establishes roles and responsibilities for DIRM\xe2\x80\x99s project managers and\nthe clients\xe2\x80\x99 program managers during system development projects. The project manager has\nresponsibility for coordinating all DIRM efforts and resources needed to support the project. The\nprogram manager defines the planned system\xe2\x80\x99s scope, requirements, and benefits and coordinates\nwith the project manager regarding schedules, resources, and budgets.\n\n\nOBJECTIVES, SCOPE, AND METHODOLOGY\n\nThe objectives of this audit were to determine whether (1) the ETVPS project adhered to\ngenerally accepted system development life cycle procedures, (2) user requirements were\nadequately defined, and (3) system deliverables satisfied user requirements in a cost-effective\nand timely manner.\n\nTo accomplish the audit\xe2\x80\x99s objectives, we attended ETVPS Steering Committee meetings; analyzed\ndata related to the FDIC\xe2\x80\x99s prior travel management process; contacted other federal agencies to\nidentify successful travel management streamlining practices; interviewed key DIRM, DOF, and\ncontractor personnel; and reviewed key system development documents, including alternatives and\ncost-benefit analyses, functional requirements documents, external and internal design documents,\ntest scripts, and the ETVPS implementation plan. We also analyzed cost data contained in the\nFDIC\xe2\x80\x99s Financial Information Management System (FIMS) and DIRM\xe2\x80\x99s project costing records.\n\nWe reviewed development activities conducted between March 1996 and April 2000 and conducted\nour work in a real-time mode during the same time frames in accordance with generally accepted\ngovernment auditing standards.\n\n\nRESULTS OF AUDIT\n\nETVPS will benefit the Corporation by reducing the time needed to prepare travel vouchers and\nstreamlining voucher processing and will provide travelers with a paperless means of obtaining\nrapid reimbursement for their travel expenses. Before ETVPS became operational, employees filed\npaper vouchers that were manually entered into TMS. Reimbursement of travel expenses took at\nleast 2 weeks using this process. In addition, other costs such as administrative costs associated\nwith TMS, costs to audit all travel vouchers, and costs for the time it took employees to prepare\ntravel vouchers mounted considerably over the years. Rather than automating existing manual\nprocesses, the ETVPS project team re-engineered the FDIC\xe2\x80\x99s travel process to reflect current trends\n\n\n\n                                                  3\n\x0cand ease the burden of travel requests, approvals, and reimbursement.\n\nThe FDIC followed a sound and structured methodology for developing the system and the\ndevelopment effort generally adhered to the FDIC\xe2\x80\x99s SDLC procedures. ETVPS user requirements\nwere adequately defined. However, system deliverables did not satisfy all user requirements when\nimplemented in November 1999. The ETVPS project team has been addressing the remaining\nrequirements since implementation.\n\nSignificant delays in system implementation and increases in costs raise serious questions about the\ntimeliness and cost-effectiveness of the project. The system was originally scheduled for\nimplementation in July 1998 but was not delivered until November 1999. Costs were originally\nestimated at $505,290 and exceeded $13.8 million as of February 29, 2000. Throughout the project\nthe ETVPS project team submitted annual Information Technology Plans that included a\ncomparison of current year expenditures with the annual budget. However, these documents did not\nprovide inception-to-date expenditures. In addition, on July 28, 1998, key ETVPS team members\npresented an interim Cost Benefit Analysis (CBA) to the IT Technical Committee requesting\nadditional funding for ETVPS. However, $3.2 million expended in 1996 and 1997 was not included\nin the CBA.\n\nSubsequent changes in scope, cost, and schedule occurred without full knowledge or approval of the\nFDIC\xe2\x80\x99s IT Technical Committee or IT Council. In December 1998, the project team revised the\nscope and schedule of the project due to delays in completing the initial portion of the system. The\nproject team also scaled back system requirements to reduce costs. Both of these actions were taken\nand completed without the knowledge of the IT Technical Committee or IT Council. Further,\nbecause all ETVPS development costs were not consistently or completely captured and allocated\nthroughout the project, neither the Corporation nor our office could fully determine the total cost of\nETVPS.\n\nTechnological changes during ETVPS development, while not impacting ETVPS requirements,\ncontributed to changes in the ETVPS development approach, estimated costs, and timeframes\nneeded to complete the project. Technological advances in hardware and software, which enabled\nDIRM to take full advantage of common objects1 using a multi-tiered application architecture,2\nnecessitated changes to the ETVPS development approach that increased costs and delayed\nimplementation. The simultaneous development and implementation of these various components\ncreated a dynamic development environment necessitating close coordination among several DIRM\ncomponents. The ETVPS implementation schedule was delayed several times due to coordination\nissues between various DIRM components. In several instances, ETVPS implementation tasks had\nto be rescheduled because the Multi-Tiered Application Architecture Program/Common Objects\n(MAAP/CO) or other support components were not completed when needed by ETVPS.\n\n\n\n1\n  Common objects are a set of independent, fully functional objects that can be used by any compatible application. A\ncommon object is a real life business function that is modeled and provided as a server. The server is then accessible by\nany application that requires its services.\n2\n  Multi-Tier architecture allows developers to break down complex business processes into more manageable pieces,\nallowing for reusability. The FDIC\xe2\x80\x99s 3-tiered model consists of user-services, business services, and data services tiers.\n\n\n                                                            4\n\x0cAnother factor that slowed ETVPS development and increased costs was the inconsistency of the\nvarious lists of employee names that ETVPS needs to process travel authorizations and vouchers.\nETVPS uses several lists of employee names for security purposes and for automatic messaging.\nThese employee lists were originally developed for differing purposes, and the FDIC had no prior\nneed to ensure their consistency. However, the inconsistent representations of employee\nnames among the various lists ultimately complicated authorization and voucher processing in\nETVPS.\n\n\nIMPROVED CONTROLS ARE NEEDED TO MONITOR DEVELOPMENT COSTS AND\nSCHEDULES\n\nETVPS costs significantly exceeded amounts projected without the full knowledge and approval of\nthe IT Council. Although ETVPS will benefit the FDIC, the actual cost to develop the system\nsignificantly exceeded the amounts originally anticipated and also exceeded subsequent cost\nestimates that were reviewed and approved by the IT Council. Costs, originally estimated at\n$505,290, were at least $13.8 million as of February 29, 2000, and additional funds were still\nneeded to complete the system. Budget overruns and delays during the project occurred without the\nIT Council\xe2\x80\x99s full knowledge. Therefore, the Council was not provided the opportunity to determine\nwhether and how the project should proceed. The ETVPS development team also initiated\nsignificant changes to the ETVPS scope, timeframes, and costs before developing a revised CBA\nand presenting the proposed changes to the IT Technical Committee. The system, originally\nscheduled for implementation in July 1998, was not delivered until November 1999.\n\nIncreases in costs and risks related to the project and schedule delays occurred throughout the\nproject without full IT Council knowledge or approval. The significant implementation delays and\ncost increases associated with ETVPS development raise serious questions about its cost\neffectiveness and whether it would have received continued IT Council approval if information had\nbeen provided in a timely manner. In December 1998, the ETVPS project team determined that\nfully automating special travel (first class, foreign, actual expense reimbursement) would not be\ncost-effective and would push the completion date past December 31, 1999. In an attempt to reduce\ncosts, the ETVPS development team decided to reduce the functionality of a portion of the system.\nThe team proposed replacing some automated calculations associated with special travel with\nmanual calculations.\n\nDespite significant changes in the overall development cost and schedule for ETVPS, the project\nteam initiated efforts on the new development approach before developing a revised CBA, receiving\nformal approval of the ETVPS Steering Committee, or presenting the information to the IT Council\nor IT Technical Committee. The ETVPS Steering Committee approved the change on March 24,\n1999 without a revised CBA. On June 1, 1999, the ETVPS project team submitted a CBA to the IT\nTechnical Committee after work on the revised approach had been completed.\n\nChapter 1 of the FDIC\xe2\x80\x99s SDLC Manual assigns the program manager, the principal user\nrepresentative, primary responsibility for project budget preparation and approval authority for\nexpenditure of funds. This chapter also assigns the project manager, the principal representative\nfrom the system development organization, the responsibility for overseeing the full spectrum of\n\n\n\n                                                 5\n\x0csystem development activities, which includes working with the program manager to prepare the\nproject budget package for the IT Technical Committee.\n\nThe SDLC Manual does not specifically describe procedures to be followed when a project exceeds\nits budget. We have issued a number of audit reports on the need for improved cost controls for the\nFDIC\xe2\x80\x99s system development efforts. In response to one of these reports, Audit of the Time and\nAttendance Processing System Development Project (II) (Audit Report No. 99-011), the FDIC\xe2\x80\x99s\nformer Deputy to the Chairman and Chief Operating Officer instructed DIRM to develop\nprocedures to ensure more effective cost controls, including alerting the IT Council of significant\nchanges in a project\xe2\x80\x99s cost, schedule, and risk. DIRM and the FDIC\xe2\x80\x99s IT Technical Committee\ndeveloped such procedures in response to another recent audit report entitled Audit of the FDIC\xe2\x80\x99s\nStrategic Planning for Information Technology (Audit Report No.00-013).\n\nThe procedures call for a presentation to the IT Technical Committee by the project team for any\napproved project experiencing or anticipating budget overruns. Based on the presentation, the IT\nTechnical Committee will recommend one of three options to the IT Council: (1) disapprove\nadditional funding, (2) re-allocate funds from other projects that are experiencing surpluses, or (3)\nrequest additional funding from the FDIC Board of Directors. However, these procedures have not\nyet been incorporated into formal policy or the SDLC Manual and were not in place during ETVPS\ndevelopment. Therefore, while these procedures should improve cost controls for future\ndevelopment efforts, the timing of their development did not benefit ETVPS.\n\nRecommendation\n\n(1) We recommend that the Director, DIRM and CIO, incorporate the cost control procedures\ndeveloped by DIRM and the IT Technical Committee into either a formal policy directive or the\nFDIC\xe2\x80\x99s SDLC Manual.\n\n\nIMPROVED PROCEDURES ARE NEEDED TO TRACK PROJECT COSTS\n\nAlthough reported costs related to ETVPS development significantly exceeded both original and\nrevised estimates, all appropriate costs related to the system were not included in charges allocated\nto the project. In addition to DIRM and DOF, DOA and the Division of Supervision (DOS) also\nexpended resources on the project. However, these and other costs related to the development effort\nwere not fully captured. Our office and the FDIC were unable to accurately and completely\ndetermine all costs associated with the project because of the lack of effective procedures to\naccumulate and allocate costs.\n\nCosts for projects classified as major FDIC Projects, defined as projects with an anticipated cost\ngreater than $100,000, are tracked by FIMS through the use of a unique project number. However,\nthe project number field is not mandatory in the FDIC\xe2\x80\x99s accounting system. Therefore, while this\nmethod for tracking costs provides the capability to capture all expenditures, it does not ensure that\nall costs will be charged to the appropriate project number. As a result, all costs associated with\nDOS and DOA efforts relative to ETVPS were not fully captured. Further, the FDIC has no\nassurance that other costs were accurately and completely recorded.\n\n\n\n                                                   6\n\x0cIn addition, architecture costs to support ETVPS were not allocated to the project. During\ndevelopment, DIRM charged costs directly related to ETVPS to the associated project number.\nDIRM established separate project numbers for some components of the architecture supporting\nETVPS--MAAP/CO, ENTRUST, and Microsoft Messaging Queue and charged related costs to\nthese project numbers. While DOF believes that DIRM may have charged architecture-related costs\nto ETVPS, we found no evidence of such charges. However, another architecture component,\nCCHRIS supports only ETVPS. Therefore, the costs associated with CCHRIS, which were charged\nto the ETVPS project number, should be allocated entirely to ETVPS.\n\nAdditionally, DOF and DIRM also used different methods for charging salaries to projects. DIRM\nused fully loaded personnel costs. In contrast, DOF used salaries, payroll taxes, and retirement\ncosts but did not include the cost of benefits, thus understating the cost of resources allocated to the\nproject.\n\nRecommendation\n\n(2) We recommend that the Director, DOF, initiate changes to FIMS to make the use of project\nnumbers mandatory. To allow the project number to be a mandatory field and still permit time\ncharges that should not charged to a project, a default project number should be developed to\naccount for those charges that should not be charged to projects.\n\n\nNEW PROJECT MANAGEMENT PROCEDURES ARE NEEDED WHEN DEVELOPMENT\nPROJECTS CROSS DIRM ORGANIZATIONAL LINES\n\nDuring ETVPS development, coordination of resources by the project manager was difficult due to\nthe numerous DIRM organizations responsible for the ENTRUST and the various components of\nMAAP/CO. Simultaneous development of ETVPS and MAAP/CO created a dynamic environment.\nIn many instances, changes to MAAP/CO and ETVPS required reciprocal changes. Needed support\nfrom other related systems, such as the FDIC\xe2\x80\x99s electronic signature software (ENTRUST), also\nrequired coordination by the project manager.\n\nIn several instances, ETVPS implementation tasks had to be rescheduled because MAAP/CO or\nother support components were not scheduled for completion when needed by ETVPS. For\nexample, ETVPS implementation had to be re-scheduled from September 5, 1999 to October 10,\n1999 because the dates for installing new bank examiner software on laptop computers in DOS field\noffices were not communicated to the ETVPS implementation team leader before the dates for\ninstalling the ETVPS software were scheduled. Because each software update required examiners\nto report to their assigned field offices and DOS did not want to require more than one unscheduled\ntrip, installation of ETVPS was delayed until the examination software was also ready for\ninstallation.\n\nCoordination difficulties also caused a problem with the ETVPS demonstration before actual\nsystem rollout. System settings, changed by the project team for testing on the weekend prior to\npresenting the ETVPS demonstration, were not reset. When the DOF testing team leader attempted\n\n\n                                                   7\n\x0cto demonstrate ETVPS, the system would not work properly.\n\nETVPS rollout was also delayed because of coordination issues with the ETVPS implementation team\nand the ETRUST implementation team. After the ETVPS implementation team prepared what they\nthought was the final implementation plan, they learned that ENTRUST would not be ready for use on\nthe scheduled rollout date.\n\nThe FDIC\xe2\x80\x99s SDLC Manual assigns the project manager oversight responsibility for the full\nspectrum of system development activities, including coordinating the resources necessary to\ndevelop a system. The project manager is responsible for working with the program manager and\nuser community to define requirements, develop an overall project work plan, and ensure that\nefforts and materials needed to support the system are completed. The project manager oversees all\ndevelopment activities, ensuring compliance with SDLC and related policies and directives and\nensuring appropriate approvals and signatures are obtained. However, the complexity of\nMAAP/CO, which uses state-of-the-art programming approaches that were new to DIRM, could not\nhave reasonably been foreseen at the beginning of the ETVPS project. The number of people,\norganizations, and skills needed were significantly greater for ETVPS because of the use of\ncommon object technology. However, DIRM\xe2\x80\x99s experience with the development of ETVPS in such\nan environment illustrates the need for close coordination between all involved DIRM components\nduring development efforts.\n\nETVPS project coordination difficulties were discussed with DIRM officials who agreed that ETVPS\ndevelopment coordination will provide lessons learned for future common object development\nprojects. DIRM management agreed that project managers responsible for projects using common\nobject technology should identify all needed human, hardware, software, and service resources and\nobtain necessary commitments from management regarding these resources early in the project.\n\n\nRecommendations\n\nWe recommend that the Director, DIRM and CIO, develop specific procedures for system\ndevelopment projects that will cross DIRM organizational lines. The procedures should clarify the\nrole and responsibilities of the project manager and should include:\n\n(3) Identifying, at the beginning of project, all resources believed necessary to complete the system\n    development project and updating this information periodically.\n\n(4) Obtaining commitments from appropriate DIRM components to ensure the availability of needed\n    resources throughout the project.\n\n(5) Developing a process to schedule and monitor project resources obtained from DIRM sections.\n\n\n\n\n                                                  8\n\x0cMULTIPLE LISTS OF EMPLOYEE NAMES HINDERED ETVPS DEVELOPMENT\n\nETVPS and other FDIC systems need consistent employee name lists for user validation, security,\nand supervisory approval of travel authorizations and vouchers. Currently, the FDIC maintains\nseveral lists of employee names including one maintained by the United States Department of\nAgriculture\xe2\x80\x99s National Finance Center. Each of these lists were developed over the years for\nspecific purposes and the FDIC had no need to ensure their consistency. The lists often contain\ndifferent representations of employee names. For example, one may list employees by official\nnames while others may use nicknames. Because ETVPS must use these various lists until the\nCorporate Human Resources Information System (CHRIS) is implemented in the first quarter of\n2001, the different name representations can and already have caused users to be denied access to\nETVPS. Further, having multiple name representations has prevented supervisory approval of\nauthorizations and vouchers. It also can contribute to third parties being unable to create travel\nauthorizations for other travelers. Creating such authorizations was one of the main requirements of\nETVPS and is a standard DOS practice.\n\nInitially, DOA was to develop a standardized list of employee names to support the Time and\nAttendance Processing System (TAPS). However, TAPS was cancelled before a standardized\nemployee list was developed. Because CHRIS is not scheduled for initial implementation until the\nfirst quarter of 2001, interim procedures are needed to ensure the timely and consistent entry of\nemployee names for ETVPS use.\n\nTo illustrate the need for interim procedures, DOS field office employees often travel to attend\norientation training at their regional office shortly after reporting for duty. If the FDIC waited for\nthe NFC employee list to be updated, the new employee would not be able to file a travel\nauthorization to attend orientation until completing a payroll cycle. The ETVPS project team had to\ndevise a way, other than interfacing with NFC, to load new employee names into ETVPS. Attempts\nto use the lists of names maintained by other divisions resulted in hundreds of mismatches,\nomissions, and invalid names. Labor-intensive manual reconciliations were needed to ensure the\naccuracy of the information, as shown in the following discussion.\n\nThe ETVPS project team decided to use the list of names from the FDIC\xe2\x80\x99s digital signature and\nencryption software, ENTRUST, as a benchmark for traveler identification, because names in this\nsystem were supposed to be legal names of active employees who logged on to ETVPS. This list is\nalso reconciled with CCHRIS, which is used for determining an employee\xe2\x80\x99s supervisor. ETVPS\nalso uses the FDIC\xe2\x80\x99s e-mail system, Microsoft Outlook, and its related list of names to\nautomatically notify a supervisor that his/her approval is required for a subordinate\xe2\x80\x99s travel\nauthorization or travel voucher. However, this solution requires manual reconciliation because the\nlists of names are updated by three different sources.\n\nWhen a new employee reports for duty, an Administrative Officer in the responsible division\ncreates a personnel file and submits the necessary payroll information to NFC. The Administrative\nOfficer also creates a record in CCHRIS. Next, a DIRM employee sets up an e-mail account for the\nnew employee. Finally, DIRM security establishes an ENTRUST profile for the employee. At this\npoint, the new employee appears on four separate lists of names and may have a different variation\nof their name on each list. The solution to the list of names dilemma will occur in early 2001, when\n\n\n\n                                                  9\n\x0cCHRIS is implemented. The list of names in this system will be the official FDIC system of record\nfor employee information. CHRIS will use a unique employee identification number, which can be\nused to eliminate the problem of multiple representations of the same name.\n\nSound management practices dictate that an organization should have only one official list of\nemployee names. More than one list can cause confusion and result in unnecessary maintenance\nexpenses. As an interim solution, the administrative officer making initial contact with a new\nemployee or processing changes to existing employee records could distribute this information to\nthe various system administrators whose systems use a list of employee names, thereby reducing\ndiscrepancies between the lists. DOA should issue instructions to administrative officers instructing\nthem to distribute copies of new employee forms to responsible system administrators. The names\n(that is, legal names) on these forms could be used by any system that uses lists of names.\n\nRecommendations\n\nWe recommend that the Director, DIRM and CIO:\n\n(6) Furnish a listing of all computer systems that use employee names in their processes to\n    administrative officers.\n\nWe recommend that the Director, DOA:\n\n(7) Instruct all system administrators to use only the employee names that are provided to them by\n    administrative officers.\n\n(8) Instruct all administrative officers to provide information on new hires or changes to existing\n    employee records to system administrators whose systems use employee names in their processes.\n\n\nCORPORATION COMMENTS AND OIG EVALUATION\n\nOn July 17, 2000, the Director, DIRM, provided a written response to a draft of the report agreeing\nwith the report\xe2\x80\x99s contents and recommendations. The Director\xe2\x80\x99s response is presented in appendix\nII of this report.\n\nThe Director, DOA, provided a written response to the draft report, dated July 20, 2000. The\nDirector\xe2\x80\x99s response agreed with the report\xe2\x80\x99s contents and addressed the recommendations. The\nDirector\xe2\x80\x99s response is presented in appendix III of this report.\n\nOn July 18, 2000, the Director, DOF, provided a written response to the draft report. The DOF\nresponse did not fully address our recommendations. However, alternative actions proposed by\nDOF management at a meeting on July 20, 2000 met the intent of our recommendation. DOF\nmanagement explained, in greater detail, how the new guidelines for project accountability will be\nused in conjunction with DIRM\xe2\x80\x99s PILLAR system for collecting project expenses. DOF indicated\n\n\n\n\n                                                  10\n\x0cthat it will issue the guidance by August 31, 2000. The DOF response also requested clarification\nof several items contained in the draft report. The requested clarifications related to the contents of\nearlier OIG suggestions involving ETVPS; communications to the IT Council regarding changes to\nproject scope, cost, and schedule; and reasons for changes in ETVPS functionality. We revised the\nfinal audit report to address these comments. The Director\xe2\x80\x99s response is presented in appendix IV of\nthis report.\n\nThe Corporation\xe2\x80\x99s responses to the draft report and proposed alternative actions provide the\nelements necessary for management decisions on each of the report\xe2\x80\x99s recommendations.\nAccordingly, no further response to this report is required.\n\n\n\n\n                                                  11\n\x0c                                                                                      APPENDIX I\n\n\n[Appendix I, pages 12-51 of this report, contains prior OIG work in the ETVPS area. It is available\nin hard copy by contacting the FDIC Public Information Center.]\n\n\n\n\n                                                 12\n\x0c                                                CORPORATION COMMENTS\n                                                                                                  APPENDIX II\n\n  Federal Deposit Insurance Corporation\n  3501 North Fairfax Dr., Arlington, VA 22226                                Division of Information Resources Management\n\n\n\n                                                             July 17, 2000\n\n\nTO:                 David H. Loewenstein\n                    Assistant Inspector General\n\n\nFROM:               Donald C. Demitros, Director\n\nSUBJECT:            DIRM Management Response to the Draft OIG Report Entitled, "Audit of the\n                    Development of the Electronic Travel Voucher Payment System\xe2\x80\x9d (Audit No. 98-\n                    905)\n\n\nThe Division of Information Resources Management (DIRM) has reviewed the subject draft audit\nreport and generally agrees with the findings and recommendations. Responses to each of the\nspecific recommendations (1, 3, 4, 5 and 6) directed to DIRM are provided below. The Division of\nFinance (DOF) is responding to recommendation number 2 under separate cover. The Division of\nAdministration (DOA) is responding to recommendation numbers 7 and 8 under separate cover.\n\nManagement Decision:\n\nRecommendation: (1) We recommend that the Director, DIRM and CIO, incorporate the cost\ncontrol procedures developed by DIRM and the IT Technical Committee into either a formal policy\ndirective or the FDIC\xe2\x80\x99s SDLC Manual.\n\n   DIRM Response:\n\n   DIRM believes that over the last two years sufficient internal controls have been adopted and\n   are now in place to adequately monitor IT development costs and schedules. DIRM firmly\n   believes that project management and oversight rests squarely in DIRM with appropriate\n   oversight by the IT Technical Committee and the IT Council. Discussions held earlier this year\n   with the OIG regarding project oversight have resulted in an agreement that the newly\n   implemented Technical Committee reallocation and review of projects provides the necessary\n   independent project oversight. These procedures were formalized and approved by the IT\n   Technical Committee in April of 2000, two months after the exit conference for this audit.\n   DIRM will continue to reappraise existing policies and procedures to enhance them as needed.\n   DIRM also remains committed in its adherence to the following policies, procedures and\n   activities, which have been implemented since the commencement of the ETV project:\n\n   \xe2\x80\xa2     May 1998 - DIRM developed cost-benefit analyses guidelines which define internal DIRM\n         procedures to be followed for the cost-benefit analyses.\n\n\n\n\n                                                        52\n\x0c   \xe2\x80\xa2   July 1998 - The Director, Division of Finance issued Circular 4301.1 requiring cost-benefit\n       analyses be performed on all capital assets costing more than $3 million.\n\n   \xe2\x80\xa2   July 1998- DIRM Post Implementation Review (PIR) implemented to critically assess the\n       quality of system development projects and improve overall IT investment management.\n\n   \xe2\x80\xa2   August 1998 \xe2\x80\x93 The Budget Costs analysis was first incorporated as an integral piece of the\n       discretionary overall IT project budget-ranking process.\n\n   \xe2\x80\xa2   April 1999- Drafted System Development Life Cycle update, which detailed more rigorous\n       project oversight and project management.\n\n   \xe2\x80\xa2   April 2000 - The IT Technical Committee approved new midyear budget reallocation\n       procedures.\n\n   \xe2\x80\xa2   April 2000 - The IT Technical Committee first utilized the new reallocation procedures for\n       mid-year budget review.\n\n\nRecommendation: We recommend that the Director, DIRM and CIO, develop specific procedures\nfor system development projects that will cross DIRM organizational lines. The procedures should\nclarify the role and responsibilities of the project manager and should include:\n\n   (3) Identifying, at the beginning of project, all resources believed necessary to complete the\n       system development project and updating this information periodically.\n\n   (4) Obtaining commitments from appropriate DIRM components to ensure the availability of\n       needed resources throughout the project.\n\n   (5) Developing a process to schedule and monitor project resources obtained from DIRM sections.\n\n       DIRM Response: DIRM agrees with these recommendations. Virtually all applications\n       projects cross DIRM organizational lines (i.e. desktop, security, server, change management,\n       etc). The ETVPS project team held weekly meetings with members of Technical\n       Infrastructure and Security to ensure coordination of implementation activities. The ETVPS\n       project plan also included the required tasks and timelines for all Technical Infrastructure\n       and Security. It is currently the project manager\'s responsibility to ensure the\n       accomplishment of the actions identified in these recommendations.\n\n\n\n\n                                                 53\n\x0c       As noted by the OIG in the draft report, ETVPS presented DIRM with some complex and\n       unique project management challenges. Given those complexities, DIRM recognizes that\n       there are some lessons to be learned and some best practices to use in future projects,\n       especially in common objects development initiatives. To address these recommendations,\n       DIRM will issue a policy/procedural memorandum to all applications project managers\n       highlighting the recommended activities as well as reiterating the project management\n       requirements of the SDLC. In addition, DIRM will conduct an ETVPS lessons learned/best\n       practices briefing for project managers to reiterate the recommended activities. Both the\n       briefing and memorandum will be completed by August17, 2000.\n\nRecommendation: We recommend that the Director, DIRM and CIO:\n\n   (6) Furnish a listing of all computer systems that use employee names in their processes to\n   administrative officers.\n\n       DIRM Response: DIRM agrees that there is a need for a Corporate standard listing of\n       employee names. There are currently two primary source systems for employee names,\n       Outlook and the NFC Payroll System. DIRM recommends that these two systems be used\n       by the administrative officers as an interim solution to meet this need. DIRM will provide\n       the Division of Administration with the names of the systems administrators for these two\n       systems by August 31, 2000 to ensure that any changes to existing employees or new hires\n       are captured in these two source systems.\n\n\nPlease address any questions to DIRM\'s Audit Liaison, Rack Campbell, on (703) 516-1422.\n\n\n\n\n                                                54\n\x0c                                             CORPORATION COMMENTS\n                                                                                        APPENDIX III\n            Federal Deposit Insurance Corporation\n            550 17th Street, NW, Washington, DC 20429                                   Division of Administration\n\n\n\n\n                                                                        July 20, 2000\nTO:                              David H. Loewenstein\n                                 Assistant Inspector General\n\n\n\nFROM:                            Arleas Upton Kea\n                                 Director, Division of Administration\n\nSUBJECT:                         Management Response to Draft Report entitled Audit of the\n                                 Development of the Electronic Travel Voucher Payment System\n                                 (Audit No. 98-905).\n\nThe Division of Administration (DOA) has completed its review of the Office of Inspector General\n(OIG) Draft Report entitled \xe2\x80\x9cAudit of the Development of the Electronic Travel Voucher Payment\nSystem.\xe2\x80\x9d The OIG identified four audit findings and made eight recommendations. However, our\nresponse focuses solely on those recommendations (7 and 8) made directly to the Division of\nAdministration. The remaining report recommendations (1 through 6) addressed to the Division of\nFinance and/or the Division of Information Resources Management (DIRM) will be responded to\nby the respective Divisions separately.\n\nBased on our preliminary review, corrective actions are required for all recommendations addressed\nto DOA. It is our plan to move promptly to implement the recommendations as outlined in the draft\nreport.\n\nMANAGEMENT DECISION\n\nFinding: Multiple Lists of Employee Names Hindered ETVPS Development\n\nRecommendation # 7: Instruct all system administrators to use only the employee names that are\nprovided to them by administrative offices.\n\nManagement Response: DOA concurs with the recommendation. DIRM is currently working to\nprovide a listing of all system administrators to DOA. Upon receipt of the listing, DOA will\ninstruct all system administrators in writing within 30 days that they are required to use only the\nnames that are provided to them by the administrative offices.\n\nRecommendation # 8: Instruct all administrative officers to provide information on new hires or\nchanges to existing employee records to system administrators whose systems use employee names\nin their processes.\n\nManagement Response: DOA concurs with the recommendation. DOA will instruct all\nadministrative officers in writing by August 30, 2000.\n\n\n                                                        55\n\x0cIf you have any questions regarding this response, you may contact Andrew O. Nickle, Audit\nLiaison for the Division of Administration, at (202) 942-3190.\n\n\ncc:    Cindy Medlock\n       Mary Anderson\n\n\n\n\n                                               56\n\x0c                                             CORPORATION COMMENTS\n                                                                                          APPENDIX IV\nFDIC\nFederal Deposit Insurance Corporation\n801 17th Street NW, Washington, D.C. 20434             Division of Finance\n\n\n\n\n                                             July 18, 2000\n\n\nMEMORANDUM TO:                 David H. Loewenstein\n                               Assistant Inspector General\n\n\n\n\nFROM:                          Fred Selby\n                               Director\n\nSUBJECT:                       Response to Draft Report Entitled Audit of the Development of the\n                               Electronic Travel Voucher Payment System (Audit No. 98-905)\n\n\nThank you for the opportunity to comment on your draft report. As previously communicated to\nyour office, we do not take exception with the majority of the report. However, we do believe that\nthere are certain sections wherein statements are made which do not accurately portray the situation\nand additional clarification is needed to properly represent the facts surrounding the Electronic\nTravel Voucher Payment System, (ETVPS) initiative.\n\nBACKGROUND SECTION\n\n\xe2\x80\xa2   You state on page 4 \xe2\x80\x9cOur suggestions included eliminating the process to audit all travel\n    vouchers\xe2\x80\xa6\xe2\x80\x9d and \xe2\x80\x9cOur recommendations\xe2\x80\xa6streamlining the Corporation\xe2\x80\x99s travel policies and\n    procedures.\xe2\x80\x9d While we believe that the OIG was very helpful in providing observations and\n    suggestions during the course of the development of ETVPS, these are not accurate\n    statements. These two areas were part of our original process improvement efforts and were\n    not added based upon any OIG suggestions or recommendations made during the\n    development effort. As indicated in our July 17, 1996 response to the OIG Report entitled\n    Information System Audit of the Electronic Travel Voucher System Development Project\n    (Audit Report No. 96-088) included in attachment I, DOF Management then noted that these\n    cost-saving initiatives were already in progress prior to the commencement of that particular\n    audit. Furthermore, it was pointed out that when FDIC management previously proposed\n    similar cost-saving initiatives, the OIG had considered anything less than 100% auditing of\n    travel vouchers to be unsatisfactory. These initiatives were clearly part of management\'s\n    project plan and not the result of OIG recommendations or suggestions during the course of\n    the development of ETVPS and were clearly stated in a PowerPoint presentation delivered to\n    the Audit Committee on July 16, 1996.\n\n\n\n                                                  57\n\x0cRESULTS OF AUDIT SECTION\n\n!   Your statement that the ETVPS project team and Steering Committee did not provide the IT\n    Technical Committee or the IT Council a full opportunity to consider changes in scope, cost,\n    or schedule is not totally accurate. The report may be correct in stating that the IT Council\n    did not have the full opportunity to consider changes in the scope, cost, or schedule related to\n    the ETVPS project. However, the ETVPS project team had no direct access to the IT\n    Council. Only the IT Technical Committee did. An interim cost benefit analysis was\n    completed in July 1998 and a presentation of the interim CBA made to the IT Technical\n    Committee on July 28, 1998. We believe this statement needs to be revised to indicate that\n    only the IT Technical Committee and not the ETVPS project team and Steering Committee\n    did not provide the IT Council full opportunity to review/approve changes.\n\nIMPROVED CONTROLS NEEDED TO MONITOR COSTS AND SCHEDULES\n\n!   The statement that the ETVPS development team decided to reduce the functionality of a\n    portion of the system to complete the system by yearend is not an accurate depiction of the\n    reason that the changes were made. While there was an attempt to complete ETVPS by\n    yearend, the changes made were impacted by the reality of the cost/benefit consideration of\n    the more complicated routing necessary for special travel rather than the consideration of\n    only making changes to ensure completion of the project by 12/31/99.\n\nIMPROVED PROCEEDURES ARE NEEDED TO TRACK PROJECT COSTS\n\n!   The allocation that DIRM utilizes for charging salaries to projects is for their internal\n    reporting only. FIMS treats benefits consistently.\n\nRECOMMENDATION NO. 2\n\n\xe2\x80\xa2   We don\xe2\x80\x99t believe that this recommendation by itself serves as a solution to the problem as it\n    still won\xe2\x80\x99t necessarily drive the preparer from the default to the desired project number.\n    Today\xe2\x80\x99s default is not to enter a project number. In the short term significant resources\n    would have to be expended on FIMS, as well as, other source systems, in order to make this\n    recommendation a reality. A short-term expenditure of resources at this point would appear\n    to be counter-productive. DOF is seeking a long-term solution and has initiated several\n    efforts to address this concern.\n\n    DOF believes that the key to successful project cost management is a knowledgeable and\n    attentive project manager who knows all facets of the project and monitors cost from all\n    sources. As previously indicated in our response to the OIG Report Entitled Audit of the\n    FDIC\'s Strategic Planning for Information Technology Resources (Audit No. 00-013) and\n    agreed to by the OIG, DOF is currently working on a long-term financial modernization\n    project. In the interim, DOF is developing a Project Number Management Program that will\n    establish clear rules for project number usage as well as expectations for any project manager\n\n\n\n\n                                                 58\n\x0c   requesting a project number. Accountability to these guidelines will be a better way to\n   ensure completeness and accuracy rather than initiating changes to FIMS. A draft of the plan\n   is expected to be completed within the next few weeks. As a further interim step, DOF will\n   initiate a program for Budget Year 2001 with the Division of Information and Resource\n   Management (DIRM) using DIRM\'s project based version of Pillar to collect budgets and\n   expenses for development projects.\n\nIf you have any questions with our response or would like to discuss it further, please don\'t\nhesitate to contact Stan Pawlowski or myself.\n\nCC:    Don Demitros\n       Arleas Upton Kea\n       Steve Anderson\n       Karen Hughes\n       Russ Cherry\n       Ralph Elosser\n       Mike Agresto\n       Chris Husker\n       Patti Neal\n       Gary Peck\n       Stan Pawlowski\n       Ed Mahaney\n       Mike Hannah\n\n\n\n\n                                                59\n\x0c                                                                                                                                APPENDIX V\n\n                                               MANAGEMENT RESPONSES TO RECOMMENDATIONS\n\nThe Inspector General Act of 1978, as amended, requires the OIG to report the status of management decisions on its recommendations in its\nsemiannual reports to the Congress. To consider FDIC\xe2\x80\x99s responses as management decisions in accordance with the act and related guidance,\nseveral conditions are necessary. First, the response must describe for each recommendation\n\n!   the specific corrective actions already taken, if applicable;\n!   corrective actions to be taken together with the expected completion dates for their implementation; and\n!   documentation that will confirm completion of corrective actions.\n\nIf any recommendation identifies specific monetary benefits, FDIC management must state the amount agreed or disagreed with and the reasons\nfor any disagreement. In the case of questioned costs, the amount FDIC plans to disallow must be included in management\xe2\x80\x99s response.\n\nIf management does not agree that a recommendation should be implemented, it must describe why the recommendation is not considered valid.\nSecond, the OIG must determine that management\xe2\x80\x99s descriptions of (1) the course of action already taken or proposed and (2) the documentation\nconfirming completion of corrective actions are responsive to its recommendations.\n\nThis table presents the management responses that have been made on recommendations in our report and the status of management decisions.\nThe information for management decisions is based on management\xe2\x80\x99s written response to our report and subsequent discussions with management\nrepresentatives.\n\n\n\n\n                                                                        60\n\x0c                                                                                      Documentation                        Management\n Rec.                                                                 Expected       That Will Confirm      Monetary       Decision: Yes\nNumber        Corrective Action: Taken or Planned/Status           Completion Date     Final Action         Benefits          or No\n            The Corporation agreed with our recommendation\n            and has already taken action. Procedures for IT                          Formal IT Technical\n   1        Technical Committee reallocation and review of           April 2000       Committee policy         Not             Yes\n            projects were formalized and approved by the IT                              statements         quantifiable\n            Technical Committee in April 2000.\n            DOF management did not agree with our\n            recommendation. However, proposed alternative\n            actions presented by DOF at a meeting on July 20,                              Project\n                                                                                                               Not             Yes\n   2        2000 met the intent of our recommendation. DOF         August 31, 2000      accountability\n                                                                                                            quantifiable\n            agreed to incorporate the use of DIRM\xe2\x80\x99s expense                               guidance\n            collection system, PILLAR, in their project\n            accountability guidance.\n            The Corporation agreed with our recommendations.\n            DIRM will issue a policy/procedure memorandum\n            to all applications project managers highlighting\n                                                                                      Memorandum and\n            recommended activities as well as reiterating the                                                  Not\n3, 4, & 5                                                          August 17, 2000        briefing                             Yes\n            project management requirements of the SDLC                                                     quantifiable\n                                                                                       documentation\n            manual. In addition, DIRM will conduct an ETVPS\n            lessons learned/best practices briefing for project\n            managers to reiterate the recommended activities.\n            The Corporation agreed with our recommendation.\n            DIRM will provide the Division of Administration                           List of system          Not\n   6                                                               August 31, 2000                                             Yes\n            with the names of the system administrators by                           administrator names    quantifiable\n            August 31, 2000.\n            The Corporation agreed with our recommendations.\n            DOA will instruct all system administrators in                           Written instructions\n                                                                                                               Not\n 7&8        writing within 30 days that they are required to use   August 30, 2000        to system                            Yes\n                                                                                                            quantifiable\n            only the names that are provided to them by the                            administrators\n            administrative offices.\n\n\n\n\n                                                                    61\n\x0c'